|
|
a60cd7 |
From 29e8577ae1d7252513883941cae1c576f30c2d75 Mon Sep 17 00:00:00 2001
|
|
|
a60cd7 |
From: Matej Habrnal <mhabrnal@redhat.com>
|
|
|
a60cd7 |
Date: Tue, 22 Mar 2016 12:35:55 +0100
|
|
|
a60cd7 |
Subject: [PATCH] ccpp: add AllowedUsers and AllowedGroups feature
|
|
|
a60cd7 |
|
|
|
a60cd7 |
The feature allows dump core only for allowed users.
|
|
|
a60cd7 |
|
|
|
a60cd7 |
The logic is the following:
|
|
|
a60cd7 |
- if both options are not-defined or empty keep all core dumps
|
|
|
a60cd7 |
- else if crashed UID is in the list of users keep the core dump
|
|
|
a60cd7 |
- else if crashed UID belongs to a group in the list of groups keep the core dump
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Related to rhbz#1277849
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
|
|
|
a60cd7 |
---
|
|
|
a60cd7 |
doc/abrt-CCpp.conf.txt | 10 ++++++++
|
|
|
a60cd7 |
src/hooks/CCpp.conf | 7 ++++++
|
|
|
a60cd7 |
src/hooks/abrt-hook-ccpp.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
a60cd7 |
3 files changed, 80 insertions(+)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
diff --git a/doc/abrt-CCpp.conf.txt b/doc/abrt-CCpp.conf.txt
|
|
|
a60cd7 |
index 4db4b54..dffa45d 100644
|
|
|
a60cd7 |
--- a/doc/abrt-CCpp.conf.txt
|
|
|
a60cd7 |
+++ b/doc/abrt-CCpp.conf.txt
|
|
|
a60cd7 |
@@ -43,6 +43,16 @@ IgnoredPaths = /path/to/ignore/*, */another/ignored/path* ...::
|
|
|
a60cd7 |
ABRT will ignore crashes in executables whose absolute path matches one of
|
|
|
a60cd7 |
specified patterns.
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+AllowedUsers = root, ...::
|
|
|
a60cd7 |
+ ABRT will process only crashes of either allowed users 'AllowedUsers' or
|
|
|
a60cd7 |
+ users who are members of allowed group 'AllowedGroups'. If no allowed users
|
|
|
a60cd7 |
+ nor allowed group are specified ABRT will process crashes of all users.
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+AllowedGroups = root, ...::
|
|
|
a60cd7 |
+ ABRT will process only crashes of either allowed users 'AllowedUsers' or
|
|
|
a60cd7 |
+ users who are members of allowed group 'AllowedGroups'. If no allowed users
|
|
|
a60cd7 |
+ nor allowed group are specified ABRT will process crashes of all users.
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
VerboseLog = NUM::
|
|
|
a60cd7 |
Used to make the hook more verbose
|
|
|
a60cd7 |
|
|
|
a60cd7 |
diff --git a/src/hooks/CCpp.conf b/src/hooks/CCpp.conf
|
|
|
a60cd7 |
index be55e05..af31ed5 100644
|
|
|
a60cd7 |
--- a/src/hooks/CCpp.conf
|
|
|
a60cd7 |
+++ b/src/hooks/CCpp.conf
|
|
|
a60cd7 |
@@ -37,3 +37,10 @@ SaveFullCore = yes
|
|
|
a60cd7 |
# specified patterns.
|
|
|
a60cd7 |
#
|
|
|
a60cd7 |
#IgnoredPaths =
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+# ABRT will process only crashes of either allowed users or users who are
|
|
|
a60cd7 |
+# members of allowed group. If no allowed users nor allowed group are specified
|
|
|
a60cd7 |
+# ABRT will process crashes of all users.
|
|
|
a60cd7 |
+#
|
|
|
a60cd7 |
+#AllowedUsers =
|
|
|
a60cd7 |
+#AllowedGroups =
|
|
|
a60cd7 |
diff --git a/src/hooks/abrt-hook-ccpp.c b/src/hooks/abrt-hook-ccpp.c
|
|
|
a60cd7 |
index 18cd608..c9fbf68 100644
|
|
|
a60cd7 |
--- a/src/hooks/abrt-hook-ccpp.c
|
|
|
a60cd7 |
+++ b/src/hooks/abrt-hook-ccpp.c
|
|
|
a60cd7 |
@@ -645,6 +645,44 @@ static bool is_path_ignored(const GList *list, const char *path)
|
|
|
a60cd7 |
return false;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+static bool is_user_allowed(uid_t uid, const GList *list)
|
|
|
a60cd7 |
+{
|
|
|
a60cd7 |
+ const GList *li;
|
|
|
a60cd7 |
+ for (li = list; li != NULL; li = g_list_next(li))
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ const char *username = (const char*)li->data;
|
|
|
a60cd7 |
+ struct passwd *pw = getpwnam(username);
|
|
|
a60cd7 |
+ if (pw == NULL)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ log_warning("can't get uid of user '%s' (listed in 'AllowedUsers')", username);
|
|
|
a60cd7 |
+ continue;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if(pw->pw_uid == uid)
|
|
|
a60cd7 |
+ return true;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+ return false;
|
|
|
a60cd7 |
+}
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+static bool is_user_in_allowed_group(uid_t uid, const GList *list)
|
|
|
a60cd7 |
+{
|
|
|
a60cd7 |
+ const GList *li;
|
|
|
a60cd7 |
+ for (li = list; li != NULL; li = g_list_next(li))
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ const char *groupname = (const char*)li->data;
|
|
|
a60cd7 |
+ struct group *gr = getgrnam(groupname);
|
|
|
a60cd7 |
+ if (gr == NULL)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ log_warning("can't get gid of group '%s' (listed in 'AllowedGroups')", groupname);
|
|
|
a60cd7 |
+ continue;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if(uid_in_group(uid, gr->gr_gid))
|
|
|
a60cd7 |
+ return true;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+ return false;
|
|
|
a60cd7 |
+}
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
static int test_configuration(bool setting_SaveFullCore, bool setting_CreateCoreBacktrace)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
if (!setting_SaveFullCore && !setting_CreateCoreBacktrace)
|
|
|
a60cd7 |
@@ -701,6 +739,8 @@ int main(int argc, char** argv)
|
|
|
a60cd7 |
bool setting_SaveFullCore;
|
|
|
a60cd7 |
bool setting_CreateCoreBacktrace;
|
|
|
a60cd7 |
GList *setting_ignored_paths = NULL;
|
|
|
a60cd7 |
+ GList *setting_allowed_users = NULL;
|
|
|
a60cd7 |
+ GList *setting_allowed_groups = NULL;
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
map_string_t *settings = new_map_string();
|
|
|
a60cd7 |
load_abrt_plugin_conf_file("CCpp.conf", settings);
|
|
|
a60cd7 |
@@ -716,6 +756,13 @@ int main(int argc, char** argv)
|
|
|
a60cd7 |
if (value)
|
|
|
a60cd7 |
setting_ignored_paths = parse_list(value);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+ value = get_map_string_item_or_NULL(settings, "AllowedUsers");
|
|
|
a60cd7 |
+ if (value)
|
|
|
a60cd7 |
+ setting_allowed_users = parse_list(value);
|
|
|
a60cd7 |
+ value = get_map_string_item_or_NULL(settings, "AllowedGroups");
|
|
|
a60cd7 |
+ if (value)
|
|
|
a60cd7 |
+ setting_allowed_groups = parse_list(value);
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
setting_CreateCoreBacktrace = value ? string_to_bool(value) : true;
|
|
|
a60cd7 |
value = get_map_string_item_or_NULL(settings, "VerboseLog");
|
|
|
a60cd7 |
if (value)
|
|
|
a60cd7 |
@@ -803,6 +850,22 @@ int main(int argc, char** argv)
|
|
|
a60cd7 |
return 0;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+ /* dumping core for user, if allowed */
|
|
|
a60cd7 |
+ if (setting_allowed_users || setting_allowed_groups)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ if (setting_allowed_users && is_user_allowed(uid, setting_allowed_users))
|
|
|
a60cd7 |
+ log_debug("User %lu is listed in 'AllowedUsers'", (long unsigned)uid);
|
|
|
a60cd7 |
+ else if (setting_allowed_groups && is_user_in_allowed_group(uid, setting_allowed_groups))
|
|
|
a60cd7 |
+ log_debug("User %lu is member of group listed in 'AllowedGroups'", (long unsigned)uid);
|
|
|
a60cd7 |
+ else
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ error_msg_not_process_crash(pid_str, last_slash + 1, (long unsigned)uid, signal_no,
|
|
|
a60cd7 |
+ signame, "ignoring (not allowed in 'AllowedUsers' nor 'AllowedGroups')");
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ xfunc_die();
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
user_pwd = get_cwd(pid);
|
|
|
a60cd7 |
log_notice("user_pwd:'%s'", user_pwd);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
--
|
|
|
a60cd7 |
1.8.3.1
|
|
|
a60cd7 |
|